House of Spirit

The House of Spirit is a little different from other attacks in the sense that it involves an attacker overwriting an existing pointer before it is 'freed'. The attacker creates a 'fake chunk', which can reside anywhere in the memory (heap, stack, etc.) and overwrites the pointer to point to it. The chunk has to be crafted in such a manner so as to pass all the security tests. This is not difficult and only involves setting the size and next chunk's size. When the fake chunk is freed, it is inserted in an appropriate binlist (preferably a fastbin). A future malloc call for this size will return the attacker's fake chunk. The end result is similar to 'forging chunks attack' described earlier.

Notice that, as expected, the returned pointer is 0x10 or 16 bytes ahead of fake_chunks[0]. This is the address where the fd pointer is stored. This attack gives a surface for more attacks. victim points to memory on the stack instead of heap segment. By modifying the return addresses on the stack, the attacker can control the execution of the program.